I have a 750 acting as a hub for 4 VPN connections. Two VPNs are plain vanilla static to static. The other two are static to dynamic. The first dynamic works fine with the use of a script for dynamically changing policy and peer. The second dynamic script, which is exactly the same as the first, will resolve but not update the peer and policy. I have combined the two scripts below:
:local resolvedIP [:resolve "xxx.dyndns.org"];
/log info "$resolvedIP";
/ip ipsec peer set 2 address="$resolvedIP"
/ip ipsec policy set 2 sa-dst-address="$resolvedIP"
#
:local resolveIP [:resolve "yyy.dyndns.org"];
/log info "$resolveIP";
/ip ipsec peer set 3 address="$resolveIP"
/ip ipsec policy set 3 sa-dst-address="$resolveIP"
Re: Second script no updating IPSEC peer
Here is what I use: I add the DNS name as comment to the ip ipsec peer, prefixed with a + like "+xxx.dyndns.org" (it is part of a larger script complex that enables and disables dynamic update with different prefix characters). It only makes changes when needed, and it can handle multiple policies per peer.
ipsec peer comments was introduced a while back, but hasn't found its way into WinBox yet, so add by cli.
Code: Select all
/ip ipsec {
:foreach i in=[peer find comment~"^\\+.*"] do={
:local curPeerIP [peer get $i address]
:set curPeerIP [:pick $curPeerIP 0 [:find $curPeerIP "/" -1]]
:local dnsName [peer get $i comment]
:set dnsName [:pick $dnsName 1 [:len $dnsName]]
:local dnsAddress [:resolve $dnsName]
:if ($curPeerIP != $dnsAddress) do={
policy set [policy find sa-dst-address=$curPeerIP] sa-dst-address=$dnsAddress;
peer set $i address=($dnsAddress . "/32:500");
}
}
}ipsec peer comments was introduced a while back, but hasn't found its way into WinBox yet, so add by cli.
Re: Second script no updating IPSEC peer
I like the attached script but I still don't understand why the set property does not work correctly.
Re: Second script no updating IPSEC peer
Probably because you cannot just use item numbers in scripts. You should find the peer item, and then set on that found item.
-
-
pbalazs123
just joined
- Posts: 5
- Joined:
- Location: Hungary, Budapest
Re: Second script no updating IPSEC peer
Hi folks!Here is what I use:I add the DNS name as comment to the ip ipsec peer, prefixed with a + like "+xxx.dyndns.org" (it is part of a larger script complex that enables and disables dynamic update with different prefix characters). It only makes changes when needed, and it can handle multiple policies per peer.Code: Select all/ip ipsec { :foreach i in=[peer find comment~"^\\+.*"] do={ :local curPeerIP [peer get $i address] :set curPeerIP [:pick $curPeerIP 0 [:find $curPeerIP "/" -1]] :local dnsName [peer get $i comment] :set dnsName [:pick $dnsName 1 [:len $dnsName]] :local dnsAddress [:resolve $dnsName] :if ($curPeerIP != $dnsAddress) do={ policy set [policy find sa-dst-address=$curPeerIP] sa-dst-address=$dnsAddress; peer set $i address=($dnsAddress . "/32:500"); } } }
ipsec peer comments was introduced a while back, but hasn't found its way into WinBox yet, so add by cli.
I know this is a bit outdated topic, but i need help with this script. My problem is that my destination and source address is dynamic too. I need a script that can update sa-dst-address and sa-src-address too. Can someone wrote another script? It's urgently needed.
Example pictures of what i need:
Thank you!
-
-
pbalazs123
just joined
- Posts: 5
- Joined:
- Location: Hungary, Budapest
Re: Second script no updating IPSEC peer
No one can help? 